[5930] in bugtraq
Re: Addendum to FrontPage password issue
daemon@ATHENA.MIT.EDU (Kosmas Skiadopoulos)
Sun Jan 11 14:09:18 1998
Date: Sun, 11 Jan 1998 16:38:15 +0200
Reply-To: Kosmas Skiadopoulos <kosmas@INCREDIBLE.COM>
From: Kosmas Skiadopoulos <kosmas@INCREDIBLE.COM>
X-To: hostmaster <root@VICTIM.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.3.96.980109165140.17715A-100000@burn.victim.com>
On Fri, 9 Jan 1998, hostmaster wrote:
>
> Sorry for the false alarm. There are still some very strange things =
going
> on with the default installation scripts' use of permissions and I in=
tend
> to review this more thoroughly over the weekend.
>
>
Well the alarm is not totally false, frontpage IS bogus as HELL, but th=
ere
is a way to circumvent the cretinous way this is set up.
You can set up all of your frontpage users as group web and set the use=
rs'
permissions as 715 , that is effect disallows other "web" users from
accessing other individuals accounts, while retaining "nobody" as your
main http daemon user. Then you can use apache's suexec wrapper to do t=
he
suing for the frontpage extensions provided that you have httpd.conf se=
t
up correctly i.e. with User and Group statements.
We know that this is a far from perfect solution but at least i=
t
somwhat works on a production system.
____________________________________________
http://www.incredible.com
E-mail:info@incredible.gr
=C1=F0=DF=F3=F4=E5=F5=F4=E1 =C4=DF=EA=F4=F5=E1 Incredible Networ=
ks
=F4=E7=EB: (1) 92 12 312 tel +30 1 921 2312
fax: (1) 92 12 314 fax:+30 1 921 2314
